we10710aa / node-red-contrib-actions-google Goto Github PK
View Code? Open in Web Editor NEWNode Red's actions on google library
Node Red's actions on google library
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
Found in base branch: master
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution (node-fetch): 2.6.7
Direct dependency fix Resolution (actions-on-google): 2.13.0
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
Hi,
great job with this node-red module ! I've learned about bots thanks to it !
You said in the doc :
For now this library only support Actions on Google with Dialogflow
Have you a plan to make response compatible with Telegram ? I have enabled Telegram integration in my DialogFlow console, request arrive to node-red but the built response does not show up in Telegram. I think the property platform with the value TELEGRAM is not sended back...
I'd love to use same logic between Google Assistant and Telegram.
Great job !
Thank you
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
forge is vulnerable to URL Redirection to Untrusted Site
Mend Note: Converted from WS-2022-0007, on 2022-11-07.
Publish Date: 2022-01-06
URL: CVE-2022-0122
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution (node-forge): 1.0.0
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
Found in base branch: master
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution (node-fetch): 2.6.1
Direct dependency fix Resolution (actions-on-google): 2.13.0
Step up your Open Source Security Game with Mend here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
Found in base branch: master
An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
Publish Date: 2023-11-08
URL: CVE-2023-45857
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-11-08
Fix Resolution (axios): 0.20.0
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
JSON.parse with bigints support
Library home page: https://registry.npmjs.org/json-bigint/-/json-bigint-0.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json-bigint/package.json
Dependency Hierarchy:
Found in base branch: master
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
Publish Date: 2020-09-18
URL: CVE-2020-8237
Base Score Metrics:
Type: Upgrade version
Origin: https://hackerone.com/reports/916430
Release Date: 2020-09-30
Fix Resolution (json-bigint): 1.0.0
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Publish Date: 2020-09-01
URL: CVE-2020-7720
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-09-01
Fix Resolution (node-forge): 0.10.0
Direct dependency fix Resolution (actions-on-google): 2.13.0
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
In node-forge before 1.0.0 he regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.
Publish Date: 2022-01-08
URL: WS-2022-0007
Step up your Open Source Security Game with WhiteSource here
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in base branch: master
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution (follow-redirects): 1.14.8
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/axios/package.json
Dependency Hierarchy:
Found in base branch: master
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in base branch: master
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution (node-forge): 1.3.0
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/qs/package.json
Dependency Hierarchy:
Found in base branch: master
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).
Publish Date: 2022-11-26
URL: CVE-2022-24999
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999
Release Date: 2022-11-26
Fix Resolution (qs): 6.9.7
Direct dependency fix Resolution (actions-on-google): 2.13.0
Step up your Open Source Security Game with Mend here
Hi,
We've detected that your node has a dependency on an old version of agent-base (<6.0.0)
,
These old versions were patching a core node.js function in a way that could break other libraries - including one we started using in Node-RED 2.0 for the HTTP Request node.
Therefore any users that upgrade to Node-RED 2.0 and have your node installed (or later try to install it) will get errors when using the http-request node.
Could you please take a look at your dependencies and see if you can update the versions so that you are no longer dependent on agent-base before version 6.0.0
Note this could be a module that you are using has a dependency on agent-base so you might need to check for updates to that module, to help you we've attached your nodes dependency tree below
More details on this issue and the warning message that is now displayed in Node-RED 2.0.2 are on the forum at link https://discourse.nodered.org/t/node-red-2-0-2-released/48767
└─ [email protected]
└─ [email protected]
├─ @types/[email protected]
├─ @types/[email protected]
│ ├─ @types/[email protected]
│ │ ├─ @types/[email protected]
│ │ └─ @types/[email protected]
│ ├─ @types/[email protected]
│ │ ├─ @types/[email protected]
│ │ │ └─ @types/[email protected]
│ │ └─ @types/[email protected]
│ ├─ @types/[email protected]
│ └─ @types/[email protected]
│ ├─ @types/[email protected]
│ ├─ @types/[email protected]
│ └─ @types/[email protected]
├─ [email protected]
│ ├─ [email protected]
│ │ ├─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ │ └─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ └─ [email protected]
│ │ ├─ [email protected]
│ │ ├─ [email protected]
│ │ ├─ [email protected]
│ │ ├─ [email protected]
│ │ │ └─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ │ ├─ [email protected]
│ │ │ │ └─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ └─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ │ └─ [email protected]
│ │ │ └─ [email protected]
│ │ └─ [email protected]
│ └─ [email protected]
│ ├─ [email protected]
│ ├─ [email protected]
│ │ ├─ [email protected]
│ │ └─ [email protected]
│ │ └─ [email protected]
│ ├─ [email protected]
│ ├─ [email protected]
│ ├─ [email protected]
│ │ ├─ [email protected]
│ │ │ └─ [email protected]
│ │ │ └─ [email protected]
│ │ └─ [email protected]
│ ├─ [email protected]
│ ├─ [email protected]
│ ├─ [email protected]
│ │ └─ [email protected]
│ └─ [email protected]
├─ [email protected]
│ └─ [email protected]
├─ [email protected]
│ ├─ [email protected]
│ │ ├─ [email protected]
│ │ │ └─ [email protected]
│ │ │ └─ [email protected]
│ │ └─ [email protected]
│ ├─ [email protected]
│ ├─ [email protected]
│ ├─ [email protected]
│ │ ├─ [email protected]
│ │ ├─ [email protected]
│ │ ├─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ └─ [email protected]
│ │ ├─ [email protected]
│ │ └─ [email protected]
│ ├─ [email protected]
│ │ ├─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ ├─ [email protected]
│ │ │ │ └─ [email protected]
│ │ │ └─ [email protected]
│ │ └─ [email protected]
│ ├─ [email protected]
│ │ ├─ [email protected]
│ │ ├─ [email protected]
│ │ └─ [email protected]
│ └─ [email protected]
│ ├─ [email protected]
│ └─ [email protected]
└─ @types/[email protected]
Thanks in advance for looking into this.
Sam
PS Sorry for the templated issue but we've got a number of nodes with the issue so I'm automating the issue creation.
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.5.10.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/follow-redirects/package.json
Dependency Hierarchy:
Found in base branch: master
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution (follow-redirects): 1.14.7
Direct dependency fix Resolution (actions-on-google): 3.0.0
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.